Congratulations on making it to Phase 3 of PEN Consultants’ interview process! This next phase has two parts – Getting to Know PEN Consultants and Challenges.
Part 1 of this phase is to help us ensure you understand our company, the positions we’ve taken on certain cybersecurity debates, how we interact with our clients, our strong faith culture, etc. Part 2 allows you to demonstrate some basic hands-on challenges and communicate what you found.
Part 1 – Getting to Know PEN Consultants
- Don’t overthink this! We’re just looking to make sure you understand how the security testing business works, the stances we’ve taken on certain topics, our company background, etc. Each question should not take you more than just a couple of minutes (max).
- When you are finished, please respond to our original email with a PDF of your responses.
- Honesty and transparency are always best. If you get into this and realize it’s not the type of work you were hoping for, it isn’t in line with your career goals, our opinions rub you the wrong way, etc., feel free to respond with a “Thanks for the opportunity, however, I don’t believe I’m interested at this time” email.
- Why do you want to work in the security and penetration testing industry?
- Summarize PEN Consultants’ company background, purpose, vision, and mission, the meaning behind our logo and slogan – Rock Solid Security, etc.
- Review: https://penconsultants.com/testingDiff
- Question: If a client is seeking to test their ability to detect and respond to an active threat, which service would you recommend and why?
- Question: If a client says they are in need of the most affordable solution for testing, which service would you recommend and why?
- Review: https://penconsultants.com/shields
- Question: Why should testing almost never be performed through firewalls/WAFs/etc. when auto mitigate/IPS type features are enabled? Should the tester’s IP be white listed, and if so, when? Explain.
- Question: Which compliance standard specifically states that security testing should not be performed through something such as a WAF in auto-block mode?
- Review: https://penconsultants.com/graybox
- Question: What are some of the benefits of white box testing?
- Question: Are there benefits to black box testing?
- Review: https://penconsultants.com/services
- Question: What is a ballpark price for an internal penetration test for a network with 1,600 workstations? The client is not interested in debriefings, or any technical support afterward, just a report of our findings.
- Question: What is the monthly cost to have PEN Consultants on retainer (i.e. Cybersecurity Unlimited) for 10 hrs per month?
- Review: https://penconsultants.com/informed
- Question: If a client asks how they are kept informed during an engagement, what would you tell them?
- Review: https://penconsultants.com/testimonials
- Question: A prospective technology software company is asking for references to our past clients. What are some references you could provide?
- Review: https://penconsultants.com/home/services/nonprofits/
- Question: Why would faith-based organizations receive a 30% discount (or more), but no one else?
- Review: https://penconsultants.com/csr
- Question: What percentage of our revenue do we give to charity?
- Question: Who do we currently support?
- Review: https://penconsultants.com/report
- Download a copy of the report and review it. This is the deliverable you will have to create for most engagements.
- Question: Which discovered vulnerability allowed us to gain access to 100% of the user passwords?
- Question: What attack is possible if the x-frame-options header, or equivalent, is missing in web server responses?
- Question: When looking at, or considering, other pentest companies you could be working for, what about PEN Consultants makes you want to work here?
- Question: What are some concerns you have at this stage of the interview process (about us, about the work, the environment, etc.)?
- Question: What questions do you have for us?
That’s it for the questions! You are encouraged to review the other company pages and blog posts to continue familiarizing yourself with our company.
Part 2 – Challenges:
If you don’t already have an account for Portswigger Academy (https://portswigger.net/web-security), you will need to create a free account prior to completing these challenges.
Solve at least three of the following challenges, and document how you went about solving them. Then, choose one of the challenges you solved, and write a detailed finding and recommendation for it (as seen in our example report: https://penconsultants.com/report).
Note: You do not need to create an entire report; you will just create one FR to address your findings and recommendations for the challenge you chose.